X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=wrt-setup;h=7d806123b21b1ddd106ab5d935a992016f4cfee2;hb=7815dd8b158226f7186bf987d270b4f824902555;hp=0c9fb29d5dce9c86b76551894d6808ad09c14fe6;hpb=d3d495af167adba91b190e8dcb95649c34fa04c7;p=automated-distro-installer

diff --git a/wrt-setup b/wrt-setup
index 0c9fb29..7d80612 100755
--- a/wrt-setup
+++ b/wrt-setup
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 
 # ssh
@@ -55,7 +55,8 @@ cat >.profile <<'EOF'
        exit
 }
 EOF
-v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server tcpdump
+v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server \
+  tcpdump openvpn-openssl
 
 
 
@@ -103,12 +104,11 @@ EOF
 
 
 
- # exportfs -ra won't cut it when its the same path, but now a bind mount
+# exportfs -ra wont cut it when its the same path, but now a bind mount
 cedit /etc/exports <<'EOF' || v /etc/init.d/nfsd restart ||:
 /mnt/usb  192.168.1.0/255.255.255.0(rw,no_root_squash,insecure,sync,no_subtree_check)
 # for arch pxe
 /run/archiso/bootmnt	192.168.1.0/255.255.255.0(rw,no_root_squash,insecure,sync,no_subtree_check)
-
 EOF
 
 
@@ -117,60 +117,125 @@ v /etc/init.d/nfsd start
 v /etc/init.d/portmap enable
 v /etc/init.d/nfsd enable
 
-# default is 250, but my switch wants a high static address by default,
-# and I don't need that many, so lets just reduce it.
-sed -ri 's/^(.*option limit ).*/\1100/' /etc/config/dhcp
+v /etc/init.d/openvpn start
+v /etc/init.d/openvpn enable
+
+
+# setup to use only vpn in 5 ways:
+# set lan forward to vpn instead of wan,
+# disable wan masquerade,
+# set the default for outgoing to reject,
+# open wan port 1194 and 22 (ssh is too useful),
+# setup port forwardings to use vpn.
+firewall_restart=false
+# https://wiki.openwrt.org/doc/uci
+if [[ $(uci get firewall.@forwarding[0].dest) != vpn ]]; then
+    # default is wan
+    # https://wiki.openwrt.org/doc/uci
+    v uci set firewall.@forwarding[0].dest=vpn
+    uci commit firewall
+    firewall_restart=true
+fi
+
+wan_index=$(uci show firewall | sed -rn 's/firewall\.@zone\[([0-9])+\]\.name=wan/\1/p')
+w="firewall.@zone[$wan_index]"
+if [[ $(uci get $w.masq) == 1 ]]; then
+    v uci set $w.masq=0
+    uci commit firewall
+    firewall_restart=true
+fi
+
+if [[ $(uci get $w.output) != REJECT ]]; then
+    v uci set $w.masq=REJECT
+    uci commit firewall
+    firewall_restart=true
+fi
+
+if [[ $(uci get firewall.@forwarding[0].dest) != vpn ]]; then
+    # default is wan
+    v uci set uci set firewall.@forwarding[0].dest=vpn
+    uci commit firewall
+    firewall_restart=true
+fi
+
+
+# from https://wiki.openwrt.org/doc/uci/firewall
+# todo: not sure if /etc/init.d/network needs restarting.
+# I did, and I had to restart the vpn afterwards.
+# This maps a uci interface to a real interface which is
+# managed outside of uci.
+cedit /etc/config/network <<'EOF' ||:
+config interface 'tun0'
+        option ifname 'tun0'
+        option proto 'none'
+EOF
+
+
+
+# each port forward needs corresponding forward in the vpn server
+cedit /etc/config/firewall <<'EOF' || firewall_restart=true
+config zone
+        option name             vpn
+        list   network          'tun0'
+        option input            REJECT
+        option output           ACCEPT
+        option forward          REJECT
+        option masq             1
+
+config rule
+        option dest wan
+        option target ACCEPT
+        option dest_port '1194 22'
 
-cedit /etc/config/firewall <<'EOF' || /etc/init.d/firewall restart
 # port forwarding
 config redirect
 option name bittorrent
-option src              wan
+option src              vpn
 option src_dport        63324
 option dest_ip          192.168.1.2
 option dest             lan
 # making the port open (not sure if this is actually needed)
 config rule
-option src              wan
+option src              vpn
 option target           ACCEPT
 option dest_port        63324
 
 config redirect
 option name frodobittorrent
-option src              wan
+option src              vpn
 option src_dport        63326
 option dest_ip          192.168.1.3
 option dest             lan
 
 config rule
-option src              wan
+option src              vpn
 option target           ACCEPT
 option dest_port        63326
 
 
 config redirect
 option name treetowlsyncthing
-option src              wan
+option src              vpn
 option src_dport        22000
 option dest_ip          192.168.1.2
 option dest             lan
 option proto            tcp
 
 config rule
-option src              wan
+option src              vpn
 option target           ACCEPT
 option dest_port        22000
 
 
 config redirect
 option name bithtpc
-option src              wan
+option src              vpn
 option src_dport        63325
 option dest_ip          192.168.1.4
 option dest             lan
 
 config rule
-option src              wan
+option src              vpn
 option target           ACCEPT
 option dest_port        63325
 
@@ -178,13 +243,13 @@ option dest_port        63325
 config redirect
 option name ssh
 option src              wan
-#uncomment the 2 lines for security of using a non-standard port
+# example of  using a non-standard port
 # and comment out the 22 port line
 #   option src_dport        63321
+#   option dest_port        22  # already default
 option src_dport        22
 option dest_ip          192.168.1.2
 option dest             lan
-#   option dest_port        22  # already default
 
 config rule
 option src              wan
@@ -192,21 +257,21 @@ option target           ACCEPT
 option dest_port        22
 
 
+# not using http server atm, so disable it.
 # for https
-config redirect
-       option src                      wan
-       option src_dport        443
-       option dest                     lan
-       option dest_ip          192.168.1.2
-       option proto            tcp
+# config redirect
+#        option src              wan
+#        option src_dport        443
+#        option dest             lan
+#        option dest_ip          192.168.1.2
+#        option proto            tcp
 
-config rule
-       option src              wan
-       option target           ACCEPT
-       option dest_port        443
-       option proto            tcp
+# config rule
+#        option src              wan
+#        option target           ACCEPT
+#        option dest_port        443
+#        option proto            tcp
 
-# not using http server atm, so disable it.
 # config redirect
 #        option src                      wan
 #        option src_dport        80
@@ -221,28 +286,45 @@ config rule
 #        option proto            tcp
 EOF
 
+if $firewall_restart; then
+    /etc/init.d/firewall restart
+fi
 
 dnsmasq_restart=false
 cedit /etc/hosts <<EOF || dnsmasq_restart=true
 192.168.1.1 wrt
-192.168.1.2 treetowl
-192.168.1.3 frodo faiserver
+192.168.1.2 treetowl faiserver
+192.168.1.3 frodo
 192.168.1.4 htpc
 192.168.1.5 x2
 192.168.1.6 testvm
 192.168.1.8 tp
 72.14.176.105 li
+173.255.202.210 lj
+23.239.31.172 lk
+104.131.150.120 dopub
+# cant ssh to do when on vpn. some routing/firewall rule or something,
+# I don't know. I can get there from wrt but not my machine.
+# but we can get to it from this address, so, good enough.
+10.8.0.1 do
 EOF
 
 
+# avoid using the dns servers that my isp tells me about.
+if [[ $(uci get dhcp.@dnsmasq[0].resolvfile) ]]; then
+    # default is '/tmp/resolv.conf.auto', we switch to the dnsmasq default of
+    # /etc/resolv.conf
+    v uci delete dhcp.@dnsmasq[0].resolvfile
+    uci commit dhcp
+    dnsmasq_restart=true
+fi
+
 
 # useful: http://wiki.openwrt.org/doc/howto/dhcp.dnsmasq
 
 cedit /etc/dnsmasq.conf <<'EOF' || dnsmasq_restart=true
 
 ############ updating dns servers ###################3
-# download namebench and run it like this:
-# for x in all regional isp global preferred nearby; do ./namebench.py -s $x -c US -i firefox -m weighted -J 10 -w; echo $x; hr;  done
 
 
 # this says the ip of default gateway and dns server,
@@ -257,51 +339,59 @@ cedit /etc/dnsmasq.conf <<'EOF' || dnsmasq_restart=true
 # in a browsing session, I probably won't ever do 5000 lookups
 # before the ttl expiration or whatever does expiration.
 cache-size=10000
+
+# ask all servers, use the one which responds first.
 # http://ma.ttwagner.com/make-dns-fly-with-dnsmasq-all-servers/
 all-servers
-# namebench showed 4 servers fairly close ranking:
-# qwest
-server=205.171.3.65
-server=205.171.2.25
-# clearwire anchorage
-server=64.13.115.12
-# comcast spokane
-server=68.87.69.146
+
+# namebench benchmarks dns servers. google's dns was only
+# slightly less fast than some others, and I trust it more
+# to give accurate results, stay relatively fast, and
+# not do anythin too malicious, so just use that.
+# download namebench and run it like this:
+# for x in all regional isp global preferred nearby; do ./namebench.py -s $x -c US -i firefox -m weighted -J 10 -w; echo $x; hr;  done
 # google
 server=8.8.4.4
-# NTT
-server=129.250.35.250
-# isp servers
-server=75.75.76.76
-server=75.75.75.75
-
+server=8.8.8.8
+server=2001:4860:4860::8888
+server=2001:4860:4860::8844
 
 
 # to fixup existin ips, on the client you can do
 # sudo dhclient -r; sudo dhclient <interface-name>
 
 # default dhcp range is 100-150
-dhcp-host=f4:6d:04:02:ee:eb,192.168.1.2,treetowl
-dhcp-host=00:26:18:97:bb:16,192.168.1.3,frodo
-dhcp-host=10:78:d2:da:29:22,192.168.1.4,htpc
-dhcp-host=00:1f:16:16:39:24,192.168.1.5,x2
+dhcp-host=f4:6d:04:02:ed:66,set:treetowl,192.168.1.2,treetowl
+dhcp-host=00:26:18:97:bb:16,set:frodo,192.168.1.3,frodo
+dhcp-host=10:78:d2:da:29:22,set:htpc,192.168.1.4,htpc
+dhcp-host=00:1f:16:16:39:24,set:x2,192.168.1.5,x2
 # this is so fai can have an explicit name to use for testing,
 # or else any random machine which did a pxe boot would get
 # reformatted. The mac is from doing a virt-install, cancelling it,
 # and copying the generated mac, so it should be randomish.
-dhcp-host=52:54:00:9c:ef:ad,192.168.1.6,demohost
-dhcp-host=52:54:00:56:09:f9,192.168.1.7,faiserver
-dhcp-host=80:fa:5b:1c:6e:cf,192.168.1.8,tp
+dhcp-host=52:54:00:9c:ef:ad,set:demohost,192.168.1.6,demohost
+dhcp-host=52:54:00:56:09:f9,set:faiserver,192.168.1.7,faiserver
+dhcp-host=80:fa:5b:1c:6e:cf,set:tp,192.168.1.8,tp
 # this is the ip it picks by default if dhcp fails,
 # so might as well use it.
 # hostname is the name it uses according to telnet
-dhcp-host=b4:75:0e:94:29:ca,192.168.1.251,switch9429ca
+dhcp-host=b4:75:0e:94:29:ca,set:switch9429ca,192.168.1.251,switch9429ca
 
 
 # template
 # dhcp-host=,192.168.1.,
+
+# Just leave the tftp server up even if we aren't doing pxe boot.
+# It has no sensitive info.
+tftp-root=/mnt/usb/tftpboot
 EOF
 
 if $dnsmasq_restart; then
     v /etc/init.d/dnsmasq restart
 fi
+
+cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
+config openvpn my_client_config
+        option enabled 1
+        option config /etc/openvpn/client.conf
+EOF